Great Circle Associates Firewalls
(December 1996) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: Linux as a Firewall Platform
From: Greg Whalin <gwhalin @ numerix . com>
Date: Tue, 17 Dec 1996 20:17:48 -0600 (CST)
To: Bernd Eckenfels <lists @ lina . inka . de>
Cc: arne @ Steinkamm . COM, firewalls @ GreatCircle . COM
In-reply-to: <m0va8vs-0004ixC @ lina> 
How does one go about setting the append-only and/or immutable flags?
Also, how would you patch sysctl.c in order to get write acess?  just
change the 0444 to 0644 in the line :

{KERN_SECURELVL, "securelevel", &securelevel, sizeof(int),
         0444, NULL, &proc_dointvec, (ctl_handler*)&do_securelevel_strategy},

????

Where is some good reading concerning the above info?  I have searched
around on the web and on various ftp sites, but have found nothing
substantial.
Greg

--------------------
Greg Whalin
gwhalin @
 numerix .
 com

On Wed, 18 Dec 1996, Bernd Eckenfels wrote:

> Hi Arne, List..
> 
> > > If a hacker gains root on your firewall, haven't you, uhh, already lost?
> > 
> > *No* !
> 
> Of course you have. Your firewall is compromised aka useless. The hacker can
> switch off all filter rules or add dynamic ones to hack the hosts behind the
> firewall, making the protection of the firewall void.
> 
> It depends on you internal security policy how much damage you will get from
> it. If you don't trust the firewall (with a router behind the firewall
> making the firewall unable to snoop the internal net, or if you don't trust
> the firewall at all), then it wont be much problem. But of course this is
> independend from the firewall OS. If you realy care build a two walled
> system, with the inner system shutting off the interface to the outer one if
> it suspects an intruder...
> 
> > And back to the root of the thread: No Linux has nothing comparable,
> > that's one of the reasons i don't use Linux for firewall boxes.
> 
> Since ext2fs supports append only and immutable (which is protected by
> securelvel) choosing an operating system needs to be decided by other
> (valid) differences.
> 
> Greetings
> Bernd
> 
> PS: the "sf firewall" for Linux can be retrieved from:
> http://www.ifi.unizh.ch/groups/bauknecht/SINUS/firewall.html
> I would recommend that software for firewalls with two intercaes.
> 
> PPS: yes, writing to /proc/sys/kernel/securelevel in Linux does not work
> with some kernels, the 0444 in sysctl.c needs to be patched...
>
Follow-Ups:
References:
Indexed By Date Previous: Re: Syn Attack
From: osiris @ pacificnet . net
Next: Re: Linux as a Firewall Platform
From: lists @ lina . inka . de (Bernd Eckenfels)
Indexed By Thread Previous: Re: Linux as a Firewall Platform
From: lists @ lina . inka . de (Bernd Eckenfels)
Next: Re: Linux as a Firewall Platform
From: lists @ lina . inka . de (Bernd Eckenfels)
Google
 
Search Internet Search www.greatcircle.com